Denmark, we have a problem

28 September 2015

Page Content

​The cybercrime threat is bigger than the terrorist threat, but companies, authorities and individuals know very little about the enormous security risks related to something as simple as posting a selfie on Facebook. At the Danish Bankers Association’s IT security conference in Copenhagen on Monday 28 September, experts and politicians made it clear that private companies and public authorities need to focus more on IT security and working together.

A new study from PwC shows that the scale of cybercrime attacks has increased within the last year from 28 million to 42 million. According to PwC, it costs a company or public authority on average DKK 20 million to get back on its feet again after a cyber-attack. While the British high street bank, Lloyds, estimates that the total annual cost of cybercrime is approximately USD 400 billion.

These figures had Danish politicians, IT security experts from private companies, public authorities and representatives from the media paying close attention from the outset of the Danish Bankers Association’s conference “Cyber security – a challenge facing society”.

“Banks survive on customer trust. Customers need to feel safe when they entrust us with their money and data, even though we are continually subjected to attempts to break into our online banking system, credit card fraud and phishing attacks,” Ulrik Nødgaard explained by way of introduction, while also urging politicians to create a forum, where private companies and public authorities can cooperate on IT security.

“IT security problems are only going to increase from now on. Therefore, it’s important that we strengthen international cooperation so that the police have the best opportunities to investigate across borders,” Ulrik Nødgaard continued to emphasise in his opening speech.

IT security is a managerial responsibility

According to the first keynote speaker of the conference, Mads Nørgaard Madsen, who is Head of Technology and Security at PwC, companies, authorities and individual citizens are not aware of the security risks related to being online.

“Today, we share everything, we take selfies and photos of all sorts of things, we fling things online from left to right and we provide all kinds of services on our home pages. However, we are not aware of the fact that these things can be abused,” Mads Nørgaard Madsen explained and continued:

“Technological developments are so fast that we forget about security. Every single time we buy a device that can go online we expose ourselves to security threats. Although a lot of companies today equip their employees with iPads and mobile phones, very few of these companies have a security policy and a security strategy. This means that being an IT criminal is synonymous with lots of money and no risk – it’s actually an open buffet.”

“So, what do we do with the growing digitalisation of society and the increasing threats?” Mads Nørgaard Madsen asked the packed audience, letting the question hang in the air.

No answer.

“Very few Danish companies are familiar with the threat and very few companies have carried out a security assessment, so they don’t know how vulnerable they actually are. There is a lack of resources and competencies on all sides today,” Mads Nørgaard stated, delivering the first of his two main points:

“IT security is a managerial responsibility – it is not something that companies should assign to an IT technician. Companies need to have a prominent cyber security culture in everything they do. You can save a lot of money by thinking about security from the very beginning and I’m certain that IT security will become an extremely important competitive parameter.”

Mads Nørgaard Madsen followed up with his second main point:

“If we are to succeed in changing the culture surrounding IT security, I believe that we need to focus on education. We should start as early as primary school and I also think that universities should be obligated to create an understanding for security problems across all fields of education. We simply cannot wait,” he concluded.

Cooperation is key

The conference’s second main speaker was Troels Ørting Jørgensen, who is the Group Chief Information Security Officer at the British high street bank, Barclays.

“We have 132,000 employees in 50 countries and 48 million customers. I’ll be the first to admit that managing security is enough to turn your hair grey,” the IT security manager, who was previously employed at Europol, stated.

“Just like many other banks, including Danish banks, we at Barclays are working towards a scenario, where all banking operations take place online. Banks focus on privacy and security, while easy and convenient solutions are a top priority for customers. It’s a challenge to protect all of our information, including third party information, and simultaneously innovate and deliver financial services and products quickly and conveniently in a security scenario, where we are exposed to thousands of cyber-attacks every day,” Troels Ørting Jørgensen explained.

He continued:

“At Barclays we have 4,000 computer programmers and 3,000 technical designers – we’re almost a software company. Nevertheless, if we are to make the internet a safer place we need to cooperate with other banks, sectors and public authorities in solving security issues. Today, we mostly work with Europol, as no nation or company can tackle this issue alone – and that is something that we really need to understand. We need to remember that in the physical world, you can only carry out one robbery at a time, but in cyberspace you can commit one million robberies within 20 seconds. And anyone can be a cybercriminal if they want to. It really is that easy.”

Troels Ørting Jørgensen also recommended a change in the whole culture surrounding IT security. “We all need to know a lot more about IT security,” he said. “It needs to become a fully integrated part of our culture, as we need a lot more than just antivirus software and firewalls. And here, politicians have the task of ensuring that there is more education in this area and more cooperation between private companies and public authorities – and I completely agree with this.”

A bigger threat than terrorism

In the final panel debate, the former Minister for Justice, Morten Bødskov and the Danish People’s Party’s newly elected spokesman on IT and telecommunications, Jan Callesen had the opportunity to express their opinions on IT security.

Morten Bødskov kick-started the debate:

“We’re discussing a topic, IT security, which is top of the pops around the entire world. This was the topic discussed by the American and Chinese presidents at their recent summit meeting. I think this is a very good illustration of the size of the threat we are facing. The FBI also has its own, separate list of most wanted cybercriminals. The threat we are facing is only going to increase. Cybercrime is a much larger threat than terrorism,” Morten Bødskov said.

“The main problem is that we politicians are already lagging behind. And if we do finally succeed in catching a teenager from a damp cellar in Ukraine, we don’t have any extradition treaties. Therefore, the entire system is facing a challenge,” Bødskov continued and suggested cybercrime as a topic in the future political agreement governing the activities of the police authorities. Jan Callesen was open towards this:

“We need to look at IT security politically, because it’s all about the security of citizens. I will therefore take this matter further. Making cybercrime a part of the political agreement is actually a very good idea,” acknowledged the Danish People’s Party’s spokesman on IT and telecommunications. Jan Callesen also made it clear that he would like to see IT security as part of the curriculum in schools.

“My own son knows a lot more about what you can and can’t do with a phone or an iPad. I simply don’t believe that parents are capable of undertaking the task of equipping their children so they can move safely online. Primary school is a far better place for this.” Jan Callesen argued.

Opt-out on EU Justice and Home affairs

Morten Bødskov took the opportunity to briefly connect the debate on IT security with the upcoming vote on 3 December concerning the Danish opt-out on EU Justice and Home affairs.

“I think we need to listen to the Danish police. If you can’t see the value of Denmark being part of a close international cooperation concerning topics such as cybercrime, well… I think that we should make everything simple and vote yes and I mean this very seriously,” said the former Minister for Justice, directly addressing Jan Callesen.

“Morten, you know very well that I don’t think the opt-out on EU Justice and Home affairs has anything to do with the police. Of course, I support collaboration across borders in connection with the fight against cybercrime,” Callesen replied.

“Yes, that’s right, you want to have individual referendums on all legislation, so we incessantly run to and from the ballot box,” Morten Bødskov retorted before interrupting the political teasing himself:

“But, we aren’t here to discuss the opt-out,” he began, which was met with smiles from the audience.

”If I may say so, it is fairly clear to everyone, that I believe that we need a close collaboration across borders, just as I agree with the Danish Bankers Association that here in Denmark, we need to increase cooperation between private companies and public authorities – and the authorities in between. I would also say that I’m not an opponent of market economy powers and IT security can very well become a competitive parameter. We could do with companies creating an account in terms of security policy, as well as the normal balance. Just as you can receive good interest rates at the bank, you can also receive good security. I’m just saying that there are also positive possibilities related to IT security,” Morten Bødskov highlighted.